Wire startup orchestration: correct sequence, middleware order, TLS, ConnectInfo, sd_notify

Consolidate startup logic into main.rs following operations.md sequence:
1. Parse/validate config, 2. Init DynamicConfig ArcSwap, 3. Init shared state
(rate limiter, clients, logging), 4. Bind health check port, 5. Bind admin
socket, 6. Bind all listener ports (HTTP+HTTPS), 7. Load TLS config,
8. Start TCP listeners, 9. Start background tasks, 10. Signal readiness

Key changes:
- main.rs: Complete startup orchestration with proper sequence, TLS handling,
  ConnectInfo propagation, sd_notify, graceful shutdown
- server.rs: Simplified to just serve_https_listener with shutdown support
- proxy/mod.rs: Added build_router() with correct middleware order
  (rate limiting → body limit → routing → proxy handler)

src/proxy/mod.rs

@@ -11,6 +11,17 @@ use std::sync::Arc;
 use arc_swap::ArcSwap;
 
 use crate::config::DynamicConfig;
+use crate::rate_limit::RateLimiter;
+
+pub fn build_router(
+    proxy_state: Arc<ProxyState>,
+    config: Arc<ArcSwap<DynamicConfig>>,
+    rate_limiter: Arc<RateLimiter>,
+) -> axum::Router {
+    let router = proxy_router(proxy_state);
+    let router = router_with_body_limit(router, config);
+    router_with_rate_limit(router, rate_limiter)
+}
 
 pub fn router_with_body_limit(
     router: axum::Router,
@@ -21,3 +32,13 @@ pub fn router_with_body_limit(
         body_limit::body_limit_middleware,
     ))
 }
+
+pub fn router_with_rate_limit(
+    router: axum::Router,
+    rate_limiter: Arc<RateLimiter>,
+) -> axum::Router {
+    router.layer(axum::middleware::from_fn_with_state(
+        rate_limiter,
+        crate::rate_limit::rate_limit_middleware,
+    ))
+}